I am trying to host bitcoin core over an SSL connection, because it is by default only accessible over HTTP (there used to be an option to configure SSL for the RPC but it was removed back in 0.12).
However, I am finding it difficult to make requests using
stunnel software that encapsulates the connection over HTTPS.
This is what I'm trying so far (on a testnet connection):
# curl --data-binary '{"jsonrpc":"1.0","id":"curltext","method":"getblockchaininfo","params":[]}' -H 'content-type:text/plain;' https://user:pass@127.0.0.1:28332 -v
* Trying 127.0.0.1:28332...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 28332 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to 127.0.0.1:28332
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to 127.0.0.1:28332 My stunnel.conf:
pid=/var/run/stunnel/stunnel.pid
[bitcoind testnet]
accept = 0.0.0.0:28332
cert = /etc/stunnel/stunnel.pem
client = yes
connect = 127.0.0.1:18332
As you can see, by default Bitcoind only binds to localhost and not to the other interfaces (I think there is an option "rpcserver" that configures this or similarly named).
I need to get Bitcoind hosted on my public interface (0.0.0.0) over HTTPS because its running on a different machine than the one that has the rest of the API that's calling it, and I don't like exposing the username and password over HTTP. It is being used for non-wallet functionality.
Changing
client = yes to
client = no changes the output to this:
* Trying 127.0.0.1:28332...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 28332 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
As you can see, I am using a self-signed certificate, I need to figure out a way to make CURL stop complaining about this warning so that RPC calls can be made.
